SlideShare a Scribd company logo

Black Hat 2015 Arsenal: Noriben Malware Analysis

Brian Baskin
Brian Baskin

Demonstration of Noriben for Black Hat US 2015 Arsenal

Technology
1 of 17
Your Personal, Portable, Malware Analysis Sandbox Brian Baskin @bbaskin github.com/Rurik
Origin Story Nori-Ben: Seaweed Lunch Box Simplest “box” to make Cheap Minimal ingredients
Noriben  Simple Malware Analysis Sandbox – Wrapper for Microsoft SysInternals Process Monitor (ProcMon) – Build a Sandbox VM with just: ▪ Noriben.py ▪ Procmon.exe – Optional: ▪ Extra Procmon binary filters ▪ YARA signature files ▪ VirusTotal API Key ▪ Add new filters to the script
Goals  Quick malware analysis results  Flexibility for open-ended runs (manually stopped analysis)  Allow for user interaction  Analysis of: – GUI apps – Command line args – Malware requiring debugging (Z-flags, code/mem altering) – Long sleeps (hours, days)
Focus  Processes, File Activity, Registry Activity, Network Activity  Log high level API calls while filtering out known noise – Thumbnail creation – Prefetch creation – Explorer registry keys (MRUs) – RecentDocs – Malware analysis tools (CaptureBat, IDA, FakeNet) – VMWare Tools – Java updater …
ZeroAccess Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > "%UserProfile%Desktophehda.exe" [Child PID: 2520] [CreateProcess] hehda.exe:2520 > "%WinDir%system32cmd.exe" [Child PID: 3444] File Activity: ================== [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess_Bin] [VT: 50/55] [DeleteFile] cmd.exe:3444 > %UserProfile%Desktophehda.exe Registry Activity: ================== [CreateKey] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32 [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e- 409d6c4515e9}InprocServer32ThreadingModel = Both [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32(Default) = C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n. Network Traffic: ================== [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53 [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520 [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80 [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520 [UDP] hehda.exe:2520 > 83.133.123.20:53
Upatre Campaign Processes Created: ================== [CreateProcess] python.exe:2752 > "malwaredocument.exe" [Child PID: 3048] [CreateProcess] document.exe:3048 > "malwaredocument.exe" [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe" [Child PID: 3632] [CreateProcess] nlibzar.exe:3632 > "%Temp%nlibzar.exe" [Child PID: 4056] File Activity: ================== [CreateFile] document.exe:3260 > %Temp%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %Temp%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] [DeleteFile] nlibzar.exe:4056 > %UserProfile%DesktopMALWAREdocument.exe [CreateFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE5CROVKFGZsuspendedpage[1].htm [MD5: 7acfe81f71e166364c90bfe156250da6] [VT: 0/56] [DeleteFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 216.146.38.70:80 [TCP] 216.146.38.70:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 8.5.1.58:80 [TCP] 8.5.1.58:80 > nlibzar.exe:4056
FakeAV (Track Activity Per Button Clicked)
FakeAV (Track Activity Per Button Clicked) Processes Created: ================== [CreateProcess] python.exe:2376 > "C:malwareFakeAV.exe“ [Child PID: 1556] [CreateProcess] FakeAV.exe:1556 > "%WinDir%system32cmd.exe /c taskkill /f /pid 1556 & ping -n 3 127.1 & del /f /q C:malwareFakeAV.exe & start C:DOCUME~1ADMINI~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 1164] [CreateProcess] cmd.exe:1164 > "taskkill /f /pid 1556 “ [Child PID: 1344] [CreateProcess] cmd.exe:1164 > "ping -n 3 127.1 " [Child PID: 2748] [CreateProcess] cmd.exe:1164 > "C:DOCUME~1ADMINI~1LOCALS~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 776] File Activity: ================== [CreateFile] FakeAV.exe:1556 > %AppData%dpncxxavk.exe [MD5: 8915c6a007fb93b29709be2f428e5cae] [DeleteFile] cmd.exe:1164 > C:MalwareFakeAV.exe [CreateFile] dpncxxavk.exe:776 > %AppData%GDIPFONTCACHEV1.DAT [File no longer exists] Registry Activity: ================== [RegDeleteValue] FakeAV.exe:1556 > HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFakeAV
Command line (e.g. HTran) Processes Created: ================== [CreateProcess] cmd.exe:3024 > "htran“ [Child PID: 3924] [CreateProcess] cmd.exe:3024 > "htran -h“ [Child PID: 3848] [CreateProcess] cmd.exe:3024 > "htran -install“ [Child PID: 3688] [CreateProcess] cmd.exe:3024 > "htran -start“ [Child PID: 4072] [CreateProcess] services.exe:720 > "C:Malwarehtran.exe -run“ [Child PID: 268] Registry Activity: ================== [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranType = 272 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranStart = 2 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranImagePath = C:Malwarehtran.exe -run [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranDisplayName = Proxy Service [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranObjectName = LocalSystem [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDescription = HUC Socks5 Proxy Service. [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatastyk = 0 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatasbpk = 8009 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataschk = 127.0.0.1 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatascpk = 80 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataslpk = 8009 Track activity per PID
Monitor Through Debugger  Or modify memory during exec (e.g. inject decrypted data into memory)  Noriben will just show process as “OllyDbg.exe” or “Immunity.exe” Set BP at JNZ Toggle Z-Flag … Profit!
Noriben Output • Designed to be simple: • Show precise IOCs without much noise. • Easy to Copy/Paste into reports, signatures, alerts, code • Can be an automated sandbox, works best alongside capable analyst • And Notepad++: double-click PID to highlight all Processes Created: ================== [CreateProcess] document.exe:3048 > "malwaredocument.exe“ [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe“ [Child PID: 3632] File Activity: ================== [CreateFile] document.exe:3260 > %TEMP%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %TEMP%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056
Options  Pre-filter content using ProcMon Configuration (PMC) filters – Reduces logs from 500 MB to < 50 MB  Import file MD5 white lists  Generalize folder paths: – “C:UsersMalwareAppDataRoaming” > %AppData% – “C:UsersMalwareAppDataLocalTemp” > %Temp%
Whitelist Filters  Simple to write!  RegEx  Just add to top of Noriben.py cmd_whitelist = [r'%SystemRoot%system32wbemwmiprvse.exe', r'%SystemRoot%system32wscntfy.exe', ... file_whitelist = [r'procmon.exe', r'Thumbs.db$', r'%SystemRoot%system32wbemLogs*', ... reg_whitelist = [r'CaptureProcessMonitor', r'HKCUSoftwareMicrosoft.*Window_Placement', r'HKCUSoftwareMicrosoftInternet ExplorerTypedURLs', r'SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.doc', r'SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs', ...
VirusTotal  Query MD5 file hashes from VirusTotal – Requires Python-Requests library – API key in file “virustotal.api” (unless otherwise specified) – Transmits MD5 hashes ONLY (for now) – Raw results stored if debug (-d) is enabled: [*] Writing 2 VirusTotal results to Noriben_10_Jul_15__19_24_48_028000.vt.json [{"scan_id": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e- 1428647243", "sha1": "f0d23da00b382b33b343de8526eaae62df9b3049", "resource": "03721dc899125df9dba81f6d8d8997cf", "response_code": 1, "scan_date": "2015-04-10 06:27:23", "permalink": "https://www.virustotal.com/file/8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306 acacf527e/analysis/1428647243/", "verbose_msg": "Scan finished, information embedded", "sha256": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e", "positives": 42, "total": 57, "md5": "03721dc899125df9dba81f6d8d8997cf", "scans": {"Bkav": ...
YARA  Intakes a folder of YARA signatures  Requires yara lib (from source, not pip)  Soft fails on broken rules   Scans against every created, present file
Timeline Output (CSV)  For automated sandbox analysis  For knowing the timing/order of events 3:24:51,Process,CreateProcess,python.exe,2752,malwaredocument.exe,3048 3:24:51,Process,CreateProcess,document.exe,3048,malwaredocument.exe,3260 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempbwtBBCB.tmp,fa32cacce112c18253a343c3fc41935a,,[VT: Not Scanned] 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempnlibzar.exe,03721dc899125df9dba81f6d8d8997cf,,[VT: 42/57] 3:24:51,Process,CreateProcess,document.exe,3260,%Temp%nlibzar.exe,3632 3:24:52,Process,CreateProcess,nlibzar.exe,3632,%Temp%nlibzar.exe,4056 3:24:52,File,DeleteFile,nlibzar.exe,4056,%UserProfile%DesktopMALWAREdocument.exe 3:24:52,File,CreateFile,nlibzar.exe,4056,%UserProfile%Cookiesindex.dat,ad8004807700f1d8d5ab6fa8c2935ef6,, [VT: Not Scanned] 3:25:07,Network,TCP Send,nlibzar.exe,4056,66.111.47.22:80 3:25:07,Network,TCP Receive,nlibzar.exe,4056 3:25:07,File,CreateFile,nlibzar.exe,4056,%UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm,7acfe81f71e166364c90bfe156250da6,,[VT: 0/56] 3:25:15,Network,TCP Send,nlibzar.exe,4056,216.146.38.70:80 3:25:15,Network,TCP Receive,nlibzar.exe,4056 3:25:17,Network,TCP Send,nlibzar.exe,4056,8.5.1.58:80 3:25:17,Network,TCP Receive,nlibzar.exe,4056

Recommended

Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 

Recommended

Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for youToby Kohlenberg
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hackingVikram Khanna
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 

More Related Content

What's hot

Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hackingVikram Khanna
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 

What's hot (20)

Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
 

Viewers also liked

Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber CrimeBrian Baskin
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware AnalysisBrian Baskin
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kievuisgslide
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Information Gathering Over Twitter
Information Gathering Over TwitterInformation Gathering Over Twitter
Information Gathering Over TwitterBrian Baskin
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...The Linux Foundation
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondLinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondThe Linux Foundation
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?AntonioMaio2
 

Viewers also liked (15)

Casual Cyber Crime
Casual Cyber CrimeCasual Cyber Crime
Casual Cyber Crime
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware Analysis
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Java bytecode Malware Analysis
Java bytecode Malware AnalysisJava bytecode Malware Analysis
Java bytecode Malware Analysis
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
 
P2P Forensics
P2P ForensicsP2P Forensics
P2P Forensics
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
Teach your kids to code
Teach your kids to codeTeach your kids to code
Teach your kids to code
 
Information Gathering Over Twitter
Information Gathering Over TwitterInformation Gathering Over Twitter
Information Gathering Over Twitter
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Agile scrum roles
Agile scrum rolesAgile scrum roles
Agile scrum roles
 
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...LCEU13: Securing your cloud with Xen's advanced security features - George Du...
LCEU13: Securing your cloud with Xen's advanced security features - George Du...
 
LinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and BeyondLinuxCon Japan 13 : 10 years of Xen and Beyond
LinuxCon Japan 13 : 10 years of Xen and Beyond
 
SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?SharePoint Saturday Ottawa - How secure is my data in office 365?
SharePoint Saturday Ottawa - How secure is my data in office 365?
 

Similar to Black Hat 2015 Arsenal: Noriben Malware Analysis

Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017J Hartig
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Daniel Berman
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...in.security Ltd.
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration AuditingAlbert Campa
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 

Similar to Black Hat 2015 Arsenal: Noriben Malware Analysis (20)

Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Zabbixconf2016(2)
Zabbixconf2016(2)Zabbixconf2016(2)
Zabbixconf2016(2)
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices Machine Learning and Logging for Monitoring Microservices
Machine Learning and Logging for Monitoring Microservices
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
Infosecurity Europe 2019 - Phishing & OOB Exfiltration Through Purple Tinted ...
 
Configuration Auditing
Configuration AuditingConfiguration Auditing
Configuration Auditing
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Black Hat 2015 Arsenal: Noriben Malware Analysis

  • 1. Your Personal, Portable, Malware Analysis Sandbox Brian Baskin @bbaskin github.com/Rurik
  • 2. Origin Story Nori-Ben: Seaweed Lunch Box Simplest “box” to make Cheap Minimal ingredients
  • 3. Noriben  Simple Malware Analysis Sandbox – Wrapper for Microsoft SysInternals Process Monitor (ProcMon) – Build a Sandbox VM with just: ▪ Noriben.py ▪ Procmon.exe – Optional: ▪ Extra Procmon binary filters ▪ YARA signature files ▪ VirusTotal API Key ▪ Add new filters to the script
  • 4. Goals  Quick malware analysis results  Flexibility for open-ended runs (manually stopped analysis)  Allow for user interaction  Analysis of: – GUI apps – Command line args – Malware requiring debugging (Z-flags, code/mem altering) – Long sleeps (hours, days)
  • 5. Focus  Processes, File Activity, Registry Activity, Network Activity  Log high level API calls while filtering out known noise – Thumbnail creation – Prefetch creation – Explorer registry keys (MRUs) – RecentDocs – Malware analysis tools (CaptureBat, IDA, FakeNet) – VMWare Tools – Java updater …
  • 6. ZeroAccess Processes Created: ================== [CreateProcess] Explorer.EXE:1432 > "%UserProfile%Desktophehda.exe" [Child PID: 2520] [CreateProcess] hehda.exe:2520 > "%WinDir%system32cmd.exe" [Child PID: 3444] File Activity: ================== [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357@ [MD5: 814c3536c2aab13763ac0beb7847a71f] [VT: Not Scanned] [CreateFile] hehda.exe:2520 > C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n [MD5: cfaddbb43ba973f8d15d7d2e50c63476] [YARA: ZeroAccess_Bin] [VT: 50/55] [DeleteFile] cmd.exe:3444 > %UserProfile%Desktophehda.exe Registry Activity: ================== [CreateKey] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32 [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e- 409d6c4515e9}InprocServer32ThreadingModel = Both [SetValue] hehda.exe:2520 > HKCUSoftwareClassesCLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}InprocServer32(Default) = C:RECYCLERS-1-5-21-861567501-412668190-725345543-500$fab110457830839344b58457ddd1f357n. Network Traffic: ================== [UDP] hehda.exe:2520 > google-public-dns-a.google.com:53 [UDP] google-public-dns-a.google.com:53 > hehda.exe:2520 [HTTP] hehda.exe:2520 > 50.22.196.70-static.reverse.softlayer.com:80 [TCP] 50.22.196.70-static.reverse.softlayer.com:80 > hehda.exe:2520 [UDP] hehda.exe:2520 > 83.133.123.20:53
  • 7. Upatre Campaign Processes Created: ================== [CreateProcess] python.exe:2752 > "malwaredocument.exe" [Child PID: 3048] [CreateProcess] document.exe:3048 > "malwaredocument.exe" [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe" [Child PID: 3632] [CreateProcess] nlibzar.exe:3632 > "%Temp%nlibzar.exe" [Child PID: 4056] File Activity: ================== [CreateFile] document.exe:3260 > %Temp%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %Temp%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] [DeleteFile] nlibzar.exe:4056 > %UserProfile%DesktopMALWAREdocument.exe [CreateFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE5CROVKFGZsuspendedpage[1].htm [MD5: 7acfe81f71e166364c90bfe156250da6] [VT: 0/56] [DeleteFile] nlibzar.exe:4056 > %UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 216.146.38.70:80 [TCP] 216.146.38.70:80 > nlibzar.exe:4056 [TCP] nlibzar.exe:4056 > 8.5.1.58:80 [TCP] 8.5.1.58:80 > nlibzar.exe:4056
  • 8. FakeAV (Track Activity Per Button Clicked)
  • 9. FakeAV (Track Activity Per Button Clicked) Processes Created: ================== [CreateProcess] python.exe:2376 > "C:malwareFakeAV.exe“ [Child PID: 1556] [CreateProcess] FakeAV.exe:1556 > "%WinDir%system32cmd.exe /c taskkill /f /pid 1556 & ping -n 3 127.1 & del /f /q C:malwareFakeAV.exe & start C:DOCUME~1ADMINI~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 1164] [CreateProcess] cmd.exe:1164 > "taskkill /f /pid 1556 “ [Child PID: 1344] [CreateProcess] cmd.exe:1164 > "ping -n 3 127.1 " [Child PID: 2748] [CreateProcess] cmd.exe:1164 > "C:DOCUME~1ADMINI~1LOCALS~1APPLIC~1DPNCXX~1.EXE -f“ [Child PID: 776] File Activity: ================== [CreateFile] FakeAV.exe:1556 > %AppData%dpncxxavk.exe [MD5: 8915c6a007fb93b29709be2f428e5cae] [DeleteFile] cmd.exe:1164 > C:MalwareFakeAV.exe [CreateFile] dpncxxavk.exe:776 > %AppData%GDIPFONTCACHEV1.DAT [File no longer exists] Registry Activity: ================== [RegDeleteValue] FakeAV.exe:1556 > HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceFakeAV
  • 10. Command line (e.g. HTran) Processes Created: ================== [CreateProcess] cmd.exe:3024 > "htran“ [Child PID: 3924] [CreateProcess] cmd.exe:3024 > "htran -h“ [Child PID: 3848] [CreateProcess] cmd.exe:3024 > "htran -install“ [Child PID: 3688] [CreateProcess] cmd.exe:3024 > "htran -start“ [Child PID: 4072] [CreateProcess] services.exe:720 > "C:Malwarehtran.exe -run“ [Child PID: 268] Registry Activity: ================== [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranType = 272 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranStart = 2 [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranImagePath = C:Malwarehtran.exe -run [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranDisplayName = Proxy Service [RegSetValue] services.exe:720 > HKLMSystemCurrentControlSetServicesHTranObjectName = LocalSystem [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDescription = HUC Socks5 Proxy Service. [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatastyk = 0 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatasbpk = 8009 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataschk = 127.0.0.1 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDatascpk = 80 [RegSetValue] htran.exe:3688 > HKLMSystemCurrentControlSetServicesHTranDataslpk = 8009 Track activity per PID
  • 11. Monitor Through Debugger  Or modify memory during exec (e.g. inject decrypted data into memory)  Noriben will just show process as “OllyDbg.exe” or “Immunity.exe” Set BP at JNZ Toggle Z-Flag … Profit!
  • 12. Noriben Output • Designed to be simple: • Show precise IOCs without much noise. • Easy to Copy/Paste into reports, signatures, alerts, code • Can be an automated sandbox, works best alongside capable analyst • And Notepad++: double-click PID to highlight all Processes Created: ================== [CreateProcess] document.exe:3048 > "malwaredocument.exe“ [Child PID: 3260] [CreateProcess] document.exe:3260 > "%Temp%nlibzar.exe“ [Child PID: 3632] File Activity: ================== [CreateFile] document.exe:3260 > %TEMP%bwtBBCB.tmp [MD5: fa32cacce112c18253a343c3fc41935a] [VT: Not Scanned] [CreateFile] document.exe:3260 > %TEMP%nlibzar.exe [MD5: 03721dc899125df9dba81f6d8d8997cf] [VT: 42/57] Network Traffic: ================== [TCP] nlibzar.exe:4056 > 66.111.47.22:80 [TCP] 66.111.47.22:80 > nlibzar.exe:4056
  • 13. Options  Pre-filter content using ProcMon Configuration (PMC) filters – Reduces logs from 500 MB to < 50 MB  Import file MD5 white lists  Generalize folder paths: – “C:UsersMalwareAppDataRoaming” > %AppData% – “C:UsersMalwareAppDataLocalTemp” > %Temp%
  • 14. Whitelist Filters  Simple to write!  RegEx  Just add to top of Noriben.py cmd_whitelist = [r'%SystemRoot%system32wbemwmiprvse.exe', r'%SystemRoot%system32wscntfy.exe', ... file_whitelist = [r'procmon.exe', r'Thumbs.db$', r'%SystemRoot%system32wbemLogs*', ... reg_whitelist = [r'CaptureProcessMonitor', r'HKCUSoftwareMicrosoft.*Window_Placement', r'HKCUSoftwareMicrosoftInternet ExplorerTypedURLs', r'SoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.doc', r'SoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs', ...
  • 15. VirusTotal  Query MD5 file hashes from VirusTotal – Requires Python-Requests library – API key in file “virustotal.api” (unless otherwise specified) – Transmits MD5 hashes ONLY (for now) – Raw results stored if debug (-d) is enabled: [*] Writing 2 VirusTotal results to Noriben_10_Jul_15__19_24_48_028000.vt.json [{"scan_id": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e- 1428647243", "sha1": "f0d23da00b382b33b343de8526eaae62df9b3049", "resource": "03721dc899125df9dba81f6d8d8997cf", "response_code": 1, "scan_date": "2015-04-10 06:27:23", "permalink": "https://www.virustotal.com/file/8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306 acacf527e/analysis/1428647243/", "verbose_msg": "Scan finished, information embedded", "sha256": "8e17d44a23c27f37be5eec94addd979560c0c0aec613750248c2306acacf527e", "positives": 42, "total": 57, "md5": "03721dc899125df9dba81f6d8d8997cf", "scans": {"Bkav": ...
  • 16. YARA  Intakes a folder of YARA signatures  Requires yara lib (from source, not pip)  Soft fails on broken rules   Scans against every created, present file
  • 17. Timeline Output (CSV)  For automated sandbox analysis  For knowing the timing/order of events 3:24:51,Process,CreateProcess,python.exe,2752,malwaredocument.exe,3048 3:24:51,Process,CreateProcess,document.exe,3048,malwaredocument.exe,3260 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempbwtBBCB.tmp,fa32cacce112c18253a343c3fc41935a,,[VT: Not Scanned] 3:24:51,File,CreateFile,document.exe,3260,%UserProfile%Local SettingsTempnlibzar.exe,03721dc899125df9dba81f6d8d8997cf,,[VT: 42/57] 3:24:51,Process,CreateProcess,document.exe,3260,%Temp%nlibzar.exe,3632 3:24:52,Process,CreateProcess,nlibzar.exe,3632,%Temp%nlibzar.exe,4056 3:24:52,File,DeleteFile,nlibzar.exe,4056,%UserProfile%DesktopMALWAREdocument.exe 3:24:52,File,CreateFile,nlibzar.exe,4056,%UserProfile%Cookiesindex.dat,ad8004807700f1d8d5ab6fa8c2935ef6,, [VT: Not Scanned] 3:25:07,Network,TCP Send,nlibzar.exe,4056,66.111.47.22:80 3:25:07,Network,TCP Receive,nlibzar.exe,4056 3:25:07,File,CreateFile,nlibzar.exe,4056,%UserProfile%Local SettingsTemporary Internet FilesContent.IE50V0T0HC5suspendedpage[1].htm,7acfe81f71e166364c90bfe156250da6,,[VT: 0/56] 3:25:15,Network,TCP Send,nlibzar.exe,4056,216.146.38.70:80 3:25:15,Network,TCP Receive,nlibzar.exe,4056 3:25:17,Network,TCP Send,nlibzar.exe,4056,8.5.1.58:80 3:25:17,Network,TCP Receive,nlibzar.exe,4056